Security news and information

Over the past couple of weeks home based anti-malware experts and commercial anti-malware vendors have been analyzing and creating fixes for a new rootkit dubbed the Gromozon Rootkit. This infection uses a variety of means to stay active, other than the rootkit itself, including the creation of a random user name running a random Window service to files hidden by being stored as an Alternate Data Stream.

One of the main problems with this rootkit is it immediately shuts down most rootkit detecing programs and other tools that could be used to remove this infection. This is obviously making its removal even more difficult to accomplish.

The second major problem is that this infection is very hard to detect. One main clue is a O2 entry in a hijackthis log. This entry will show a file in the Windows %System% folder that ends with a 1 and is a dll. This file will also show as missing, but no matter what you do, you can not remove this entry. An example of this type of entry can be seen below. This symptom along with a strangely sluggish computer are good hints that are infected with the Gromozon Rootkit.

O2 - BHO: Class - {E9F2DB15-AE58-AC0D-C62F-5E4DB3F6EE1F} - C:\WINDOWS\opvek1.dll (file missing)

Thankfully, Prevx has recently released a free removal tool to detect and remove the Gromozon Rootkit. You can download this tool at the following URL:

http://www.prevx.com/gromozon.asp

To use the program simply download it to your computer and double-click on the downloaded file. Now click on the Scan button and follow the prompts. When done, you should now be clean of this infection.

Great job Prevx!

Tags: No Tags

The second tuesday of every month is Microsoft’s patch tuesday.  It is on this day that they release any security updates that may have been discovered the previous month.  This month’s patch Tuesday is a doozy though.  It contains 2 Windows security patches, 1 IE update that contains fixes for multiple problems, an Outlook Express update, and an update to the Microsoft Frontpage Extensions.

It is advised that everyone who runs Windows immediately install these patches.  These patches can be installed via Autmatic Updates, if it’s configured on your computer, or by going to Windows Update.

Tags: No Tags

Not only has Ilfak Guilfanov released a patch for this vulnerability, but he also created a program that will let you know if your computer is vulnerable. You can find information about this vulnerability checker here:

http://www.hexblog.com/2006/01/wmf_vulnera…ty_checker.html

For a concise guide on installing the patch, disabling the Shimgvw.dll, and checking your system you should read our WMF vulnerability guide here:

How to protect yourself from the Windows Metafile Vulnerability

Tags: No Tags

An unofficial patch for the WMF vulnerability patch has been released. This program will patch in memory the Escape() routine of GDI32.dll so that it will not accept the SETABORT escape sequence that is being used to exploit this vulnerability.

You can get the patch here:

http://www.hexblog.com/security/files/wmffix_hexblog13.exe

This patch has been tested and works as advertised and is supported under Windows 2000, XP 32-bit, XP 64-bit, and Windows Server 2003. This patch should be installed by every Windows users until Microsoft releases an official patch.

Tags: No Tags

Well the WMF Exploit is definitely the hot topic right now. For the most part we are seeing only rogue sites (tend to be .info or .biz sites) using WMF files to install fake antispyware apps and other spyware/adware software. Today, though, there have been reports of a MSN Messenger worm in the Netherlands utilizing this exploit. Be on the lookout for any MSN Messenger messages telling you to visit a link to any image file.

Why do I say any? Because it’s possible to create a malformed WMF file to exploit your computer, and simply change the extension to JPG or GIF. Now you think it’s a safe file, but in reality the OS will read the headers of the file, see that it is really a WMF file, and exploit you all the same.

I spent a good chunk of yesterday, in between feeding the twins, playing around with various sites that have WMF exploits. I tested these sites when having the shimgvw.dll registered and unregistered. I also test while enabling Software DEP as I do not have the hardware necessary to use Hardware DEP.

What I found was:

Tests done while shimgvw.dll is registered

Visit a site that launches a WMF via a iframe or other method - The WMF file will load in picture viewer, close picture viewer, and IE and you are now infected or being infected.

Download the WMF and launch it - If you download the wmf, and run it from a command prompt, it will infect you as well.

Open a folder that the WMF resides in - If you open the folder you get infected as the OS tries to generate thumbnails and thus triggers the WMF headers that infect you.

Tests done while shimgvw.dll is unregistered

Visit a site that launches a WMF - Not infected..didnt open image viewr.

Download the WMF and launch it - Nothing happens

Open a folder that the WMF resides in - Nothing happens

3rd party software

Irfanview - Infects with or without the shimgvw.dll being registered. Still
need to test this with DEP.

When I tested with Software DEP on, my test computer was protected, but there have been too many people stating that they were still being infected. Due to this conflicting information going around I still suggest that people unregister the DLL to help prevent getting infected with these files. It’s not a perfect solution, but it’s better than nothing.

Because for some people unregistering/registering a DLL can be difficult I put together a script and guide on how to unregister the shimgvw.dll.

The guide on using the script and unregistering the DLL can be found here:

Windows Metafile Exploit Mitigation By Unregistering Shimgvw.dll

The script to unregister the DLL can be found here:

shimgvw.zip

Tags: No Tags